Access Control: Database Fortify - fortify

We ran the Fortify scan and had some Access Control: Database issues. The code is getting the textbox value and setting it to a string variable. In this case, it's passing the value from the TextBox to the stored procedure in a database. Any ideas on how I can get around this Access Control: Database issue?
Without proper access control, the method ExecuteNonQuery() in DataBase.cs
can execute a SQL statement on line 320 that contains an attacker-controlled primary
key, thereby allowing the attacker to access unauthorized records.
Source: Tool.ascx.cs:591 System.Web.UI.WebControls.TextBox.get_Text()
rptItem.FindControl("lblClmInvalidEntry").Visible = false;
ToolDataAccess.UpdateToolData(strSDN, strSSNum, strRANC, strAdvRecDate, strAdvSubDate, strClmRecDate, strClmAuth, strClmSubDate, strAdvAuth, txtNoteEntry.Text);
Sink: DataBase.cs:278
System.Data.SqlClient.SqlParameterCollection.Add()
// Add parameters
foreach (SqlParameter parameter in parameters)
cmd.Parameters.Add(parameter);

The point of "Access Control: Database" is where it isn't being specific enough in the query and so could potentially allow a user to see information that they're not supposed to.
An easy example of this vulnerability would be a payroll database where there is a textbox that says the ID of the employee and gives their salary, this could potentially allow the user to change the ID and see the salary of other employees.
Another example where this is often intended functionality is in a website URL where the product ID is used in a parameter, meaning a user could go through every product you have on your site. But as this only allows users to see information they're supposed to be able to, it's not particularly a security issue.
For instance:
"SELECT account_balance FROM accounts WHERE account_number = " + $input_from_attacker + ";"
// even if we safely build the query above, preventing change to the query structure,
// the attacker can still send someone else's account number, and read Grandma's balance!
As this is pretty context based, it's difficult to determine statically so there are lots of examples where Fortify may catch this but it's actually intended functionality. That's not to say the tool is broken, it's just one of the limitations of static analysis and depending on what your program is supposed to be doing it may or may not be intended.
If this is intended to work like this, then I would suggest auditing it as not an issue or suppressing the issue.
If you can see that this is definitely an issue and users can see information that they shouldn't be able to, then the stored procedure needs to be more specific so that users can only see information they should be able to. However SCA will likely still pick this up in a latter scan so you would still then need to audit it as fixed and no longer an issue.

Related

jira createmeta not showing all customfields

If I navigate to /rest/api/2/issue/createmeta/PROJ/issuetype/N (in this case, I'm getting Task), the list of fields returned is incomplete. There are a number of customfields that are in use (I can see them both in the tickets themselves, and also in /plugins/servlet/project-config/PROJ/fields ) that are in the createmeta data.
I'm really trying to do this in python jira, where I'm using "expand='projects.issuetypes.fields'" in the createmeta() call, but I figured I'd double-check the results in the rest API directly, and I'm getting the same results there, too.
This is happening in jira 8.20.7.
Essentially, what I'm trying to do, is to programatically get a name/id mapping of all fields in the ticket type. I'm having far more difficulty doing that than I thought there would be. I would do it based on /rest/api/2/field but the jira admins have allowed some duplicated names...
EDIT: I realized that it might be worth noting that some of the fields I'm looking for are coming from a ServiceDesk form, although, as far as I can tell, there's no way to determine that, since one of the missing fields contains the name of the form.
Why are you using createmeta endpoint?
Instead of that, in order to get all of the customfields and their values; just note their id and get the values from /rest/api/2/issue/{issueKey} endpoint.
When you send a GET request to /rest/api/2/issue/{issueKey} endpoint, you will get a JSON object which contains "fields" object in it.
And using the "fields" you can determine all of the values that include system fields (description, assignee, etc.) and custom fields (like customfield_<customfieldid>).
And for a general approach, you may want to look at the field types in that response.

IDOC file generation in ecommerce system

I want to generate an IDOC file to make shop orders availabe to the R/3 SAP System. My question is concerning BELNR in E2EDK01. As we dont have the possibility to use Webservices and BAPI, we only make the data available via files.
Actual questions are:
Do i yet need a [BELNR] in the IDOC file?
If yes, where to get this [BELNR] from?
E2EDK01-BELNR is the order number of the ordering party, normally it is not needed, but useful.
Example:
The customer sends an order and is unsure if the order received you. So he sends the order again. Now you have two similar orders. You can't know, if there are two similar orders or if you have two idocs for the same order.
If E2EDK01-BELNR is filled with the order number of the customer system, you can decide how to proceed (e.g. ignore the 2nd idoc).
If I understand your question correct, you create the order out of your shop system. You could offer an (optional) field like 'Your order number' and use this. If the same order number (per customer) is used again you can make a warning ("Order X is already ordered").
If you don't want this field you could use the session id to identify double postings.

QuickFIXJ setting SendingTime in messages

I have a FIX application which is connected to several price providers. It distributes the data it received to our inner applications. When it is sending the received messages from the price providers to the target applications, it modifies the SendingTime(52) field in FIX header which is not acceptable. The inner applications want to get the original SendingTime value. How can I say to the QuickFIXJ engine not to assign a timestamp value?
Thanks
What you desire... is kind of wrong. Header fields are to be used by the engine, and for application data (which is what this relayed SendingTime kind of is on the second leg). Your inner FIX connection should not be clobbering the SendingTime field. You might need the actual SendingTime field if you are diagnosing problems with your inner connection!
What you really need is a second SendingTime field. You should edit the DD of your inner FIX applications to add another field for which to store the old SendingTime value. Tell your inner target apps to refer to that field.
NOTE: You probably don't want to use OrigSendingTime (tag 122) for this. That field has a very specific usage already. Name your new field something else.
FIX Market Data messages (35=W, 35=X) usually have MDEntryDate (#272) and MDEntryTime (#273) fields to represent the timestamp of the market data price. If it is related to Quote/trade messages, you may have the TransactTime (#60) field.
It worth keep the SendingTime (#52) and MDEntryDate MDEntryTime/TransactTime separated, you can compare the difference between the price's timestamp and the counter party's infra structure timestamp (sending time). It would help to identify delay between the systems.
If the message you are handling does not have any Application DateTime field, you can pick one. which its value would be the SendingTime for the original FIX message you've received.
You can either select and use an existent field (http://www.onixs.biz/fix-dictionary/4.4/fields_by_name.html) or you can create your own user defined field.
Once you decided to create your own field, it is a good practice to check the oficial Global Technical Committee user defined fields list at https://www.fixtrading.org/standards/user-defined-fields/ and using the user defined fields range.
Sites
Fields by message: https://www.onixs.biz/fix-dictionary.html
User defined fields: https://www.fixtrading.org/standards/user-defined-fields/

sp_RestoreDatabase and ADSSYS password

To restore a database using the procedure SP_RESTOREDATABASE or AdsBackup utility, you need to provide the ADSSYS password as a parameter. We have secured our database using encryption and access is resctrited to specific users. But anyone using Data Architect can retrieve the ADSSYS password while the restore is taking place in the ACTIVE QUERIES tab under the Remote Server Info/Advantage Management Utility. The password appears as clear text. If query logging was enabled, I suppose it would be available in the log as well.
Is there a way to prevent a query from being shown in the log or the active queries window?
You should use a parameterized query. In that case, the parameter values will not be visible:
execute procedure sp_restoredatabase( :backuploc, :password, :restoreloc, null );
Then supply the values for the parameters backuploc, password, and restoreloc.
Note too that v11.0 restricts the visibility of that information in general. It requires a DB:Admin connection to a dictionary in order to view any statements executed on that dictionary.

Passing Parameters To report using url address

I'm developing some reports for Main Page in Dynamics Ax, however the problem i've got is connected with SSRS. Typical scenario i have report A and report B, i need to open report A when clicking on report B. Opening report itself is correct, but passing parameters is more tricky. After some research i got to the point when I want to run report A in browser using the adress
http://(server address)/Reports/Pages/Report.aspx?ItemPath=/Dynamics/Reports.VendorsOpenTransactionsCount.AutoDesign1&rs:Command=Render&VendOpenTrans_dataAreaID=dor&VendOpenTrans_p1=2011-07-21&VendOpenTrans_p2=2011-07-21
and then i get report displayed(main window) but non of the parameters are validated into proper textboxes, and changing the value of them doesn't have any impact.
can anyone here help me with that "challenge"
Actually, I believe the critical difference is whether you are passing parameters (via URL) to a report that is using database engine or the SSAS - the analytical engine as a data source.
If your data source is the analytical engine then your parameter should be given in the 'dimension format', rather than in the precise format, like &parmname=140, etc. Allow me to explain using specific example and using SSAS data source for this illustration (there is plenty of solutions available on the net for the database engine based solution, including Microsoft postings).
My server name is FRELASM.
So, I have SSAS data source called DealerSource (not visible here).
I have parameter defined in the parameter's section of the SSRS as: #DwDimDealerCorpDlrNbr
In SSAS I have the following dimension:
[Dw dim Dealer] that has attribute: [Corp Dlr Nbr] ==> giving: [Dw dim Dealer].[Corp Dlr nbr]
What I want is to show a report for a single dealer 'number' (but it is a text field, hence the leading zeros) equal to 00140. So, I am looking for Corporate dealer number=00140.
The parameter passing DOES NOT WORK if I use this [this would be find against database engine, but it does not work with SSAS).
What you need is this:
replace constant 00140 with [dimension].[attribute].[value]
do not use & character, rather replace it with: %26.
So, the working version is this.
Can you take a look at this page: http://msdn.microsoft.com/en-us/library/ms155391.aspx
It explains about when you can pass parameters via URL. Maybe your parameters are not set to Prompt for user input. HTH.

Resources